Blog entry by Les Bell

Les Bell
by Les Bell - Wednesday, July 19, 2023, 10:16 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


BreachForums Owner Pleads Guilty

Back in March, we reported on the arrest of the owner of BreachForums, one of the biggest sites for sale of stolen databases containing PII, and its subsequent closure by the new administrator. The owner and operator of BreachForums had used the handle 'Pompompurin', but the FBI identified him as Conor Brian Fitzpatrick, arresting him at his home in Peekskill, New York and charging him with conspiracy to commit access device fraud.

Another chapter in this story was written last week when Fitzpatrick pleaded guilty to three charges:

  • 18 U.S.C. § 1029(b)(2) and 3559(g)(1) Conspiracy to Commit Access Device Fraud;
  • 18 U.S.C. § 1029(a)(6) and 2 Access Device Fraud – Unauthorized Solicitation; and
  • 18 U.S.C. § 2252(a)(4)(B) and (b)(2) Possession of Child Pornography

Fitzpatrick has agreed to pay restitution, which is likely to exceed $US700,000, based on the gross proceeds of his operation. He remains free on a $US300,000 bond, but his bail conditions restrict him from using any computer unless it has a monitoring program installed by the court, as well as various other online activities. And related to that third charge, he is allowed no unsupervised contact with minors.

He will be sentenced in the Eastern District of Virginia on 17 November, when he could face a jail term of up to 40 years.

Dissent, Owner of BreachForums pleads guilty in federal court to three counts, including one involving child pornography, blog post, 14 July 2023. Available online at https://www.databreaches.net/owner-of-breachforums-pleads-guilty-in-federal-court-to-a-charge-that-shocks-everyone/.

Adobe, Citrix, Oracle, Release Security Patches

Yet another big day for sysadmins, with three major vendors releasing security fixes.

Adobe ColdFusion

Adobe is first cab off the rank, with updates for ColdFusion versions 2023, 2021, 2018, which all contain a critical (CVSS score 9.8) insecure deserialization vulnerability, CVE-2023-38203, which could allow remote code execution. The fix is to update to ColdFusion 2023 Update 2, ColdFusion 2021 Update 8 or ColdFusion 2018 Update 18. (Your scribe is simply surprised that ColdFusion is still a thing, recalling an amusing pen-testing engagement involving it, back in the heady days of the ".com boom".)

Adobe, Security updates available for Adobe ColdFusion, security bulletin APSB23-41, 14 July 2023. Available online at https://helpx.adobe.com/security/products/coldfusion/apsb23-41.html.

Citrix NetScaler ADC and NetScaler Gateway

Citrix is grappling with three major vulnerabilities affecting multiple versions of NetScaler ADC (Application Delivery Controller) and NetScaler Gateway:

That last vulnerability is being exploited in the wild, so affected customers are urged to update as soon as possible.

Citrix, Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467, security bulletin, 18 July 2023. Available online at https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467.

Oracle - Multiple Products, Plus Solaris and Linux

Finally, Oracle has released its quarterly Critical Patch Update Advisory, as well as its Solaris Third Party Bulletin and Linux Bulletin. The Critical Patch Update Advisory alone contains 508 new security patches across multiple product families - there's literally something for everyone, including users of MySQL, Oracle itself, and all the related applications and API's, including JD Edwards and Siebel.

Oracle, Oracle Critical Patch Update Advisory - July 2023, security alert, 10 July 2023. Available online at https://www.oracle.com/security-alerts/cpujul2023.html.

Oracle, Oracle Solaris Third Party Bulletin - July 2023, security alert, 18 July 2023. Available online at https://www.oracle.com/security-alerts/bulletinjul2023.html.

Oracle, Oracle Linux Bulletin - July 2023, security alert, 18 July 2023. Available online at https://www.oracle.com/security-alerts/linuxbulletinjul2023.html.

FIN8 Revamps Sardonic Black Cat

The FIN8 cybercrime group (a.k.a. Syssphinx) has been active since at least early 2016, initially targeting point-of-sale systems, but gradually expanding into ransomware attacks on the retail, hospitality, entertainment and other sectors. The group makes extensive use of LOLbins and abuses legitimate services in order to evade detection, and generally uses spear phishing and social engineering to gain initial access.

FIN8's ransomware ventures have generally made use of other groups' tools. Beginning in 2021 with the Ragnar Locker, they then switched to White Rabbit. Now researchers from Symantec's Threat Hunter Team report that FIN8 have reappeared after a break to retool yet again, this time making use of the notorious ALPHV/BlackCat ransomware.

This time, the FIN8 crew have revamped the backdoor they previously used to install White Rabbit. Known as Sardonic, this backdoor was written in C++ and made use of that language's standard library. Perhaps with the goal of evading detection by automated static analysis, the new version of Sardonic has been rewritten in C, and its C2 protocol has been rejigged, perhaps to throw off network IDS/IPS and EDR products.

The Symantec blog post details the techniques FIN8 used to install the Sardonic backdoor, making use of PowerShell commands and scripts to download it and establish persistence. Apart from a detailed analysis of the techniques, it also contains a description of the Sardonic C2 protocol and a list of IOC's.

Symantec Threat Hunter Team, FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware, blog post, 18 July 2023. Available online at https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: